Jon P. Giza wrote:
Hello all:
I am trying to setup a 802.1x WiFi authentication system using freeradius.
My setup is as follows:
Windows XP SP2 as the supplicant using PEAP/MSCHAPv2
Cisco Aironet 1231
Freeradius 1.1.0
IBM Lotus Domino LDAP
The process is mostly working - Freeradius binds to LDAP properly, the User
gets authorized, Freeradius pulls the correct password hash from the Domino
LDAP server.. But, then the MSCHAP portion fails. Portion of the log is
shown below which I believe shows the problem.
I am thinking that the problem is that I am not telling Freeradius how to
hash the supplied password correctly to match the Domino password. The
aggravating part is that we are using the exact same Domino LDAP server to
authenticate our VPN users.
That's only relevant if the VPN is using MS-CHAP to authenticate, and
even then only if it's doing it by extracting the hash as opposed to
"some other" method.
Full (sanatized) copy of the debug output is here:
http://www.xbytenetworks.com/debug-log.txt
Copy of Radiusd.conf is here: http://www.xbytenetworks.com/radiusd.conf
Thanks in advance for any help you can offer.
Jon
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jon.giza
radius_xlat: '(uid=jon.giza)'
radius_xlat: 'OU=Waukesha,OU=NA,O=MyCo'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Waukesha,OU=NA,O=MyCo, with filter
(uid=jon.giza)
rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check items
That looks like the right format to be an NT hash. However, the default
radiusd.conf (and yours) says:
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
Having said that, I don't see any evidence of this so-called "figuring
out" in the rlm_ldap source code - it looks to me like it does this:
if password_attribute:
val = ldap_result_attr(password_attribute)
if password_header:
if val.startswith(password_header):
val = val.remove(password_header)
else:
error("no password header found")
check_items.add("Password", val)
i.e. a straight copy to User-Password with optional removal of a {type}
header
What you want to do is get the NT hash into the "NT-Password" attribute,
which you normally do in the ldap.attrmap section. By default this is
setup to do this:
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
...but from the looks of it your LDAP has the NT hash unadorned in the
"userPassword" attribute. So, comment out "password_attribute" in the
LDAP module, and set this in the ldap.attrmap file:
checkItem NT-Password userPassword
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jon.giza authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 5
rlm_mschap: Told to do MS-CHAPv2 for jon.giza with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 5
modcall: leaving group MS-CHAP (returns reject) for request 5
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 5
modcall: leaving group authenticate (returns reject) for request 5
auth: Failed to validate the user.
Login incorrect: [jon.giza/<no User-Password attribute>] (from client
wifi.myco.com port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 152 to 10.100.224.235 port 1645
EAP-Message =
0x010800261900170301001b1bb3ec40925325e30990ce3b14a78af7abc1f7222d06716740d2
ff
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x132496908cd3121e6967d7ddafcdd795
Finished request 5
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html